A blog by Jonathan Eggers

Managing Ex-Employee Mailboxes in Microsoft’s Office 365

One common request that I routinely encounter is to manage the mailboxes of employees that are leaving, or have left, a company. In these situations it is common to have the ex-employee’s mailbox configured to forward email, allow other users to access the mailbox, and eventually delete the mailbox or block incoming mail to the mailbox.

Although there are a few different ways to accomplish these tasks in Office 365, I’m going to focus on using PowerShell to make changes to the Exchange environment. There will still be instances where it is necessary to log in to the Admin portal, but working in PowerShell gives you more options for configuration.

The Automapping flag determine whether the account will automatically appear in Outlook (version 2007 or newer).

Personally, I don’t care for giving one-off FullAccess rights, as I find it difficult to manage in the long run. Rather, I prefer to create a security group that has full access to the mailbox, then add users to that security group. This allows for a much more sustainable management of the server. Furthermore, it gives you the option of setting a user as the owner of the security group, allowing them to provide or revoke access to the mailbox through Outlook or OWA.

The final command is optional and allows members of the security group SG_name to send email as the ex-employee.

Once the security group is in place users can be added and the mailbox can be opened in Outlook.

Blocking incoming mail for the ex-employee

Eventually the user who is currently receiving email to a shared mailbox won’t want to receive it anymore. At this point, if it is no longer necessary to keep an archive of the email, the mailbox should be exported to PST for long-term backup and deleted from the Office 365 environment.

However, in some circumstances it might be necessary to keep the mailbox for archival purposes, but prevent email from being delivered to it. This can be accomplished in a couple of ways.

First, you can change the email address of the account to something random using the following command:

This command will replace all existing email addresses associated with the account, including aliases, with the one address entered. If you do this, I would recommend hiding the mailbox from the Global Address Book, which can be done with the following command:

Set-Mailbox <user> -HiddenFromAddressListsEnabled $true

The other option is to use Forefront Online Protection for Exchange (FOPE), which is included as part of Office 365, to block incoming email sent to the ex-employee’s email address. Personally, I think this is a better option, as it allows you to retain the email address associated with the mailbox, while still blocking incoming email for that mailbox.

To create a policy rule to block email sent to a specific address, do the following:

Log in to the FOPE admin console

Click the Administration tab, then select Policy Rules

Create a new policy rule

Make sure the domain scope is for all domains, the traffic scope is for inbound messages, and the action is reject.

Add a description to the rule

Under the Recipient match enter the email address. If you have multiple email addresses, add them separated with commas, but no spaces.

If you want the sender to receive a rejection notification, check the Notify sender option and fill in the notification details.

Save the policy.

To Recap

Hopefully this post gives you the tools to better manage the mailboxes of ex-employees in Office 365.

To recap what we’ve covered:

Convert the mailbox to a shared mailbox (if it’s under 5GB 10GB), and free up a license

It’s worth noting that none of the power shell commands dealing with exchange attribute modifications work under ADFS federated O365 environment. There the only possible approach is to enforce delivery rules if one needs to block an account yet keep its contents.

Are you sure about the comment that “Once the mailbox is converted to a shared mailbox you can log in to the Admin portal and remove the license from the account, freeing up the license for use with another user” ??

I just converted the mailbox for an ex-employee to Shared, and then went to un-assign the Exchange license but encountered a warning indicating that removing the Exchange license would delete the mailbox entirely.

Yes, Microsoft shows that warning even though the data is safe. You can see in the following KB article’s introduction that Microsoft confirms mailboxes converted from user to shared in Office 365 do not require a license.

Thanks Jonathan. This is yet the the most lucid explanation on the subject I have come across. One question though.Once you converted a mailbox into a shared mailbox; taken off the Offce365 license from it and done all the forwarding and the rest. what if you decide to resuscitate the account again. Does allocating the license back return the account with all the emails, calendar and the rest? Thanks

Giving it a license again will allow someone to log into that account – but the mailbox will still be a shared mailbox in Exchange. Shared mailboxes have a limit of 10GB and cannot have an online archive. If you want to convert a shared mailbox to a user mailbox you can run the following command:

Another option assuming the account has a P2 or E3 plan or higher – enable litigation hold for the mailbox then remove the account. The mailbox is no longer listed but you can run discovery against the mailbox and export to PST via the Discovery functions. This frees up the license and retains the data.

This is a great suggestion. The mailbox must have an E3 licence before the hold is put in place, then you must wait for the hold to complete indexing the mailbox before you remove the license and delete the mailbox.

However, users won’t be able to access the data themselves (unless you export to PST and make that file available).

Hi Jonathan, interesting reading. The way we normally do this is to backup the data to pst file, free up the E3 license, delete the account and then create a Distribution Group called EX_employeename with the old email address. We then add the staff members who are dealing with the incoming mail to the Group. After a while, we then delete the Distribution Group.

Great write up, I’ve been wondering about converting user mailboxes to shared but MS advised this wasn’t supported – they pointed me in the ‘inactive mailbox’ direction which is not ideal if supervisors need to reference emails and mount the mailbox.

Recent Tweets

RT @Cloudflare No one should be able to snoop on what you do on the Internet. Introducing: 1.1.1.1, the mobile app, world’s fastest and safest DNS resolver, available on Android and iOS. ✌️✌️#1dot1dot1dot1cfl.re/2CdLG1s